You turned on catch-all for your domain. Now every mistyped, guessed, or bot-generated address lands somewhere on your server. But where exactly? That depends on whether you set up a catch all mailbox or just enabled a catch all address—and most people don't realize these are two separate things.
The address is a routing rule. The mailbox is where the mail sits. Confuse them and you'll end up with storage overflows, broken reply chains, and a domain reputation that tanks inside a month. This guide breaks down the mechanical difference, shows you how each one works at the SMTP level, and walks through the right way to set this up—whether you're running one domain or fifty.
If you're still deciding whether catch-all is even worth enabling, start with our complete guide to domain catch-all email.
What Is a Catch All Mailbox, and How Does It Differ From a Catch All Address?
A catch all mailbox is a physical storage destination—a real inbox with login credentials, a storage quota, and an IMAP endpoint. It holds every message that the catch all address accepted. The catch all address, by contrast, is a virtual routing policy. It tells your mail server: "Don't reject unknown recipients. Accept them." It doesn't store anything on its own. It just opens the gate.
Think of it this way: the address is the decision to let strangers into the building. The mailbox is the room you put them in. Without the address rule, unknown mail bounces at the door. Without the mailbox, accepted mail has nowhere to go—and your server either drops it or dumps it into whatever default inbox it can find.
How the Routing Policy Works at the SMTP Level
When an email arrives, your Mail Transfer Agent checks the recipient against a directory of known users during the SMTP handshake. Here's what happens in each scenario.
Standard setup (no catch-all):
SENDER: RCPT TO: <ghost@yourdomain.com>
YOUR SERVER: 550 5.1.1 User unknownConnection closes. No data transfers. The sender knows immediately the address doesn't exist.
Catch-all enabled:
SENDER: RCPT TO: <ghost@yourdomain.com>
YOUR SERVER: 250 2.1.5 OKYour server accepts the full message payload. It doesn't care that "ghost" isn't a real user. The routing policy overrode the directory lookup.
This is why enabling catch-all without a proper catch all mailbox destination is dangerous. You're telling the internet you'll accept mail for any address at your domain—including the thousands of common prefixes that spammers blast during directory harvest attacks (admin@, invoice@, billing@, ceo@).
Three Ways to Architect Your Catch All Mailbox
Once the catch all address accepts a message, it has to land somewhere. How you configure that destination determines your cost, security exposure, and daily workflow.
Option A: Dedicated Isolation Mailbox
Route all catch-all traffic to a single, purpose-built mailbox like catchall-store@domain.com. Nobody uses it as a primary inbox. You check it periodically for legitimate misrouted mail and let the rest rot.
Upside: Clean separation. Your real users never see spam or bot traffic. Easy to apply aggressive spam filters without affecting production mail.
Downside: On platforms like Google Workspace or Microsoft 365, this mailbox costs a full user license—$6 to $30/month just to store junk.
Option B: Alias to Admin Inbox
Map the catch-all directly to your primary admin or CEO inbox. Fast to set up. Terrible to live with.
Within a week, the signal-to-noise ratio collapses. You can't tell a mistyped client email from bot garbage. Alert fatigue sets in. You stop checking. And then you miss the exact email the catch-all was supposed to save.
Option C: Accept and Discard
Accept the mail at the SMTP level, then immediately delete it. This avoids storage costs but creates a serious risk: if your server generates a bounce after accepting the message, that's backscatter. You're accepting spam from a spoofed sender, then sending a Non-Delivery Report to an innocent third party. That gets your IP blacklisted fast.
The rule: If you don't want the mail, reject it at the edge with a 550 error. Don't accept with a 250 and then bounce.
Side-by-Side Comparison: Address vs Mailbox
| Feature | Catch All Address (Policy) | Catch All Mailbox (Storage) |
|---|---|---|
| Function | Routing and validation | Storage and access |
| Protocol layer | SMTP RCPT TO | IMAP / storage backend |
| Existence | Virtual / rule-based | Physical / database-based |
| Cost | Free config toggle | Often requires a paid seat |
| Failure mode | Open relay / backscatter | Quota exceeded / denial of service |
| Outbound identity | N/A — receive-only rule | Replies as the mailbox primary address |
| Spam exposure | Accepts everything indiscriminately | Stores everything that was accepted |
The Reply Problem: Why Outbound Identity Breaks
Here's the gap most people discover too late. Your catch all mailbox can receive mail sent to any variation—partnerships@, billing-2024@, project-alpha@. But when you hit "Reply," the outgoing message comes from the mailbox's actual login identity: catchall@yourdomain.com or worse, admin@yourdomain.com.
A lead emails partnerships@yourdomain.com. It lands in your catch all mailbox. You reply. They see "From: catchall@yourdomain.com." The professional illusion breaks immediately.
To reply as partnerships@, you need to configure that specific email alias on the mailbox. Which means you're back to manual configuration for every active conversation—defeating the "dynamic" promise of catch-all.
How Major Providers Handle It
Microsoft 365
Microsoft makes you dismantle your own security. You must set the domain to "Internal Relay," which disables Directory-Based Edge Blocking. Then create a Shared Mailbox for storage and a Transport Rule for routing. If you forget to maintain an exception group for valid users, the catch-all logic steals mail meant for real people.
Google Workspace
Google buries it under Apps > Gmail > Default Routing. You specify a pattern for unrecognized recipients and change the envelope recipient to your catch all mailbox. Mapping to a Google Group saves a license fee but kills reply functionality. Mapping to a user means paying for the seat.
TrekMail
We built this to be straightforward. Toggle catch-all on in the dashboard, pick the destination mailbox from a dropdown, and you're done. No PowerShell. No transport rules. No security trade-offs. The catch all mailbox uses pooled storage, so you don't burn an extra seat just to collect misdirected mail.
- Nano plan ($0/mo): Custom domain email with basic email forwarding—no credit card needed.
- Starter ($3.50/mo): Catch-all inbox, multiple aliases, 14-day free trial.
- Pro ($10/mo): Priority routing, expanded storage pool, 14-day free trial.
- Agency ($23.25/mo): Multi-domain management, bulk alias creation, 14-day free trial.
Compliance Risk: GDPR, HIPAA, and the Data You Didn't Ask For
Enabling a catch all address means you're collecting unsolicited personal data from random senders. Under GDPR Article 5(1)(c), that's a data minimization problem. Under HIPAA, it's worse: if a patient mistypes an address and sends protected health information to docter@hospital.com, a catch-all accepts it. If IT staff can access that catch all mailbox, you've got an unauthorized disclosure and a reportable breach.
Right to Erasure requests become near-impossible when you're sifting through hundreds of thousands of spam messages to find one person's data. If you handle sensitive information, the safest move is to keep catch-all off and let the 550 error tell the sender they made a mistake.
When a Catch All Mailbox Actually Makes Sense
Catch-all isn't always wrong. It works well in specific situations:
- New domains: You don't know which addresses people will use yet. Catch-all prevents lost leads during the first few months.
- Acquisitions and migrations: You're inheriting a domain and need to capture mail for addresses you haven't mapped yet.
- Small teams with many public-facing aliases: If you use aliases instead of separate mailboxes, catch-all fills the gaps.
- Lead capture: Printed materials or old web pages reference addresses that were never formally created.
In all these cases, the key is routing to a dedicated, isolated catch all mailbox—not your primary inbox—and reviewing it on a schedule.
Setup Checklist: Getting It Right
- Create a dedicated mailbox (e.g.,
catchall@yourdomain.com). Don't reuse your admin inbox. - Enable the catch all address routing policy in your provider's settings.
- Point it at the dedicated mailbox. Not a group. Not /dev/null.
- Set a storage quota. If the mailbox fills up and your server starts bouncing, you're generating backscatter.
- Apply aggressive spam filtering on the catch all mailbox specifically.
- Schedule weekly reviews. Check for legitimate misdirected mail. Promote real addresses to proper aliases.
- Monitor domain reputation. If your bounce rate climbs or you land on a blacklist, the catch-all is the first thing to audit.
Need help setting up custom domain email before configuring catch-all? That guide covers DNS, MX records, and verification from scratch.
Conclusion: Separate the Rule From the Room
A catch all address is a routing decision: let everyone in. A catch all mailbox is where they all end up. Enable the address without securing the mailbox and you've got a storage bomb. Secure the mailbox but misconfigure the address logic and you've got a routing loop.
The fix is simple: treat them as two distinct components. Set the policy, build the storage, and keep them isolated from your production mail. If you want this handled automatically—catch-all toggle, pooled storage, no per-seat tax—TrekMail's Starter plan does it for $3.50/month with a 14-day free trial.
